--- - name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy" when: - ubtu24cis_rule_4_4_2_1 - ubtu24cis_ipv4_required - not system_is_ec2 tags: - level1-server - level1-workstation - patch - rule_4.4.2.1 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables block: - name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' notify: Iptables persistent - name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp source_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' notify: Iptables persistent - name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT notify: Iptables persistent - name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" notify: Iptables persistent loop: - INPUT - FORWARD - OUTPUT - name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured" when: - ubtu24cis_rule_4_4_2_2 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.2.2 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables block: - name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT notify: Iptables persistent - name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT notify: Iptables persistent - name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP notify: Iptables persistent - name: "4.4.2.3 | PATCH | Ensure iptables outbound and established connections are configured" when: - ubtu24cis_rule_4_4_2_3 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.2.3 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables ansible.builtin.iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: - ubtu24cis_rule_4_4_2_4 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - audit - rule_4.4.2.4 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables vars: warn_control_id: '4.4.2.4' block: - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false register: discovered_open_ports - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: discovered_current_rules - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: msg: - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml # --------------- # --------------- # This is not a control however using the iptables module only writes to memory # if a reboot occurs that means changes can revert. This task will make the # above iptables settings permanent # --------------- # --------------- # - name: "Make IPTables persistent | Not a control" # block: # - name: "Make IPTables persistent | Install iptables-persistent" # ansible.builtin.package: # name: iptables-persistent # state: present # - name: "Make IPTables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" # changed_when: discovered_iptables_save.rc == 0 # failed_when: discovered_iptables_save.rc > 0 # register: discovered_iptables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_save_iptables_cis_rules # - ubtu24cis_rule_4_4_2_1 or # ubtu24cis_rule_4_4_2_2 or # ubtu24cis_rule_4_4_2_3 or # ubtu24cis_rule_4_4_2_4